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Abstract. The objective of this work is to survey several dig- 
■ ital signatures proposed in the last decade using non-commuta- 

tive groups and rings and propose a digital signature using non- 
commutative groups and analyze its security. 
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1. Introduction to Digital Signatures 



■ We start by describing digital signatures using an analogy of a signed 
^ ■ message (document) from the non-digital world, whereby a person signs 

! a document, seals it in an envelope and mails it to a recipient. Upon 

receipt of the envelope the recipient opens and examines the document, 
specifically the signature, to verify the authenticity of the document 
^ ■ and that the author was in fact the expected sender of the envelope. 

I Similarly a digital signature scheme provides a way for each user to 

^ I sign messages so that the signatures can later be verified by anyone 

■ else. To be precise, each user creates a matched pair of private and 
^ ■ pubhc signatures for the message (using the signer's public key). The 

verifiers can convince themselves that the message contents have not 
been altered since the message was signed. Furthermore, the signer 
cannot later deny having signed the message, since no one but the 
signer possesses his private key. The recipient can perform the inverse 
^ ! operations of opening the letter and verifying the signature. Such sig- 

c3 I nature schemes for electronic mail are already quite widespread today 

(see [7]). This is often cited as one of the most fundamental and useful 
inventions of modern cryptography. 

2. The Ingredients of Digital Signatures 

We follow the notation of Goldwasser and Bellare in their MIT lec- 
ture notes (for further reading and definitions see [7]). A digital signa- 
ture scheme within the public key framework, is defined as a tuple of 
algorithms {G, a, V). The key generation algorithm G takes as input a 
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security parameter a and outputs P and 5", a public key and a secret 
key respectively. The signing algorithm a takes as input a security 
parameter a, the secret key S and a message m. The output produced 
is a string s, the signature of the message m. Finally, the verification 
algorithm V when given the public key P, a digital signature s, and a 
message m, returns either true or false indicating whether or not the 
signature is valid. 

2.1. Classical digital signatures. We briefiy mention a couple of 
classical digital signatures, again following [7]. 

2.1.1. RSA Digital Signature Scheme. The RSA digital dignature scheme 
is based on the RSA cryptosystem. The public key consists of a pair of 
integers [n, e) where n is the product of two large primes, e is relatively 
prime to (l){n) ( (p is Euler's totient function). The secret key, d, is cho- 
sen such that ed = 1 mod <f>{n). One signs a message by computing the 
signature a{m) = m'^ mod n. To verify that this is a valid signature 
one raises the signature to the power e and compares it to the original 
message. 

2.1.2. El Gamal Digital Signature Scheme. The El Gamal digital sig- 
nature scheme is based on the Diffie-Hellman key exchange (DHKE) 
problem, and the difficulty of solving this problem. Presently, it is sug- 
gested that the best approach to tackling the DHKE problem is to first 
solve the discrete log problem. However, it is unknown whether com- 
puting a discrete log is as hard as solving the Diffie-Hellman problem. 
The DHKE problem upon input a prime p, a generator g of the group 
Z* and the two elements g^ and g^ (for x,y G Z), seeks to determine 
gxy jjiod p. 

2.1.3. Schnorr Digital Signature Scheme. The Schnorr signature algo- 
rithm's security is based on the intractability of certain discrete log- 
arithm problems [H]. This signature scheme is considered one of the 
simplest digital signature schemes to be provably secure in a random 
oracle model. It is both efficient and allows for the generation of short 
signatures. 

2.2. Non-commutative digital signatures using non-commutative 
groups and rings. 

2.2.1. Braid Groups. In 2002 Ko, Choi, Cho and Lee pjj proposed a 
digital signature using braid groups where they assume the conjugacy 
search problem is hard, but the conjugacy decision problem is feasible. 
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In 2009 Wang and Hu [15] proposed a new digital signature based 
on a non-commutative group. Their signature scheme is based on the 
root extraction problem over braid groups. 

We note that in general the conjugacy search problem in braid group 
based schemes are susceptible to length-based attacks (see [T3j|, [5J and 
[8]) and as such may not be suitable as platforms for non-commutative 
digital signatures. 



2.2.2. Division Semirings. Another example of generating digital sig- 
natures over non- commutative algebraic objects was given by Anjaneyulu, 
Reddy and Reddy in 2008 [Ij. They consider polynomials over non- 
commutative division semirings. They assume that the computational 
Difiie-Hellman problem is hard in their setup. Additionally their sig- 
nature also relies on the difficulty of the generalized symmetrical de- 
composition (GSD) problem as applied to their rings. 

The authors propose that their signature is both secure against data 
forging of the message and against existential forgery. However, we 
believe that both these claims may be incorrect. In their scheme if 
someone replaces the valid message M with a forged message Mf, then 
the signature already sent would be valid. Although M is used in 
creating the signature, it is not needed in verification of the signature. 
Hence the verification test will succeed. 

For existential forgery one is required to produce a valid signature 
for any message of their choosing. As such, one can at will choose 
parameters that satisfy their verification algorithm. 



2.2.3. General Non- Commutative Rings. In order to limit the ability 
of a third party to verify the validity of a signature, Chaum and van 
Antwerpen [3] introduced the notion of undeniable signatures. Like a 
digital signature, undeniable signatures depend on the signer's public 
key as well as on the message signed. However, verification can only be 
achieved by interacting with the legitimate signer through a confirma- 
tion protocol. This method also allows the signer to deny the signature. 
In particular, if the signer refuses to deny, or fails to deny the signature, 
then the signature is assumed to be legitimate. Furthermore, as the 
signer's cooperation is required for verification of the signature they 
are protected from verification attempts by unauthorized third parties. 
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3. A NON-COMMUTATIVE DIGITAL SIGNATURE 

Let G be an infinite finitely presented group with exponential growth 
rate, such that there is no known polynomial-time algorithm for solv- 
ing the conjugacy search problem. In the signature we use / repre- 
sents a simple mapping function / : G — ?> {0,1}*, which maps our 
group to some binary representation that can be digitally encoded. We 
will also be using a collision-free hash function H which maps into G. 
We note that for our algorithm Ahce's public key will have to be up- 
dated/changed periodically depending on the number of messages she 
transmits. 

• Setup The signer, Alice, chooses a group element (?, a pri- 
vate key s e G and an integer n G N. We note that in our 
scheme n should be chosen to be a highly composite number, 
n — Jl'^^^p^*', where pk are prime and G N. She then com- 
putes X = g"'^ and publishes x. Note, when exponentiating 
with an element of /i G G we are representing conjugation, 

— h~^gh. Furthermore, the centralizer of g should be trivial, 
i.e. the set of group elements commuting with g should consist 
of only the identity. 

• Key generation: The signer wishes to sign the message m 
which is a bit string. She picks t uniformly at random from 
G, a random factorization of n = riirij, and computes the key 

y = g'^i^, 

• Signature: To generate the signature a compute the following: 

h^H(m\\f(y)) 
a — f^shy 

Alice then publishes her signature a — {y, a, nj) and the mes- 
sage m. 

• Verification: To verify the signature compute h' = H{m\\f{y)). 
The signature is valid and accepted if and only if 



3.1. Security Analysis of the Signature Protocol. We note that 
the idea for this algorithm was generated by Schnorr's digital signature 
for commutative groups. In particular, the use of string concatenation 
and a hash function were borrowed from this scheme. 

3.1.1. Completeness. Given a signature generated by Alice {y,a,nj), 
and the public key x, Bob will always accept the signature as valid 
following the verification algorithm. 
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First Bob computes h' = H{m\\f{y)) = h. He then verifies the 
equation y"^" = x'*'^. The left hand side yields 

nja _ njt~^shy _ niXijU'^shy _ nshy _ hy 

y y y y x. 

As h' = h the equation is valid, hence the protocol is complete. 

3.1.2. Data forging. Suppose that the forger Eve replaces the valid 

message to be signed, m, with a forged message, ruf. Then when 
Bob computes h' = H{mf\\f{y)) ^ H{m\\f{y)) = h he won't be able 
to verify that |/"^" = x^'"^ 7^ x'^^. This equation in general doesn't hold 
unless there is a collision in the hash function for the particular choices 
of (m, y, /), which is unlikely given our assumptions about H. 

3.1.3. Existential Forgery. Suppose Eve wishes to sign a forged mes- 
sage ruf. She would then have to generate a valid signature a — 
{yf,af,nj^) which passes the verification algorithm. It is here where 
is becomes necessary to use an exponent n. For if n = 1 then the 
verification reads y'^ = x^^ ^ y^^ y = x^^ ^ y^ = x. Hence choosing 
j3 determines which in turn gives us h and hence a. Combining all 
this yields an existentially forged signature for any m. 

Repeating the above in our case yields y"^^^ = x. In order to solve this 
equation y, (3 and Uj must be determined. A priori it is not clear how 
this may be done. One may proceed by choosing 2 of the 3 unknowns 
and solving for the third. In this case, if /5 is the last parameter left, 
then we are left to solve the CSP problem, which is we know to be 
difficult for a given platform group. Hence one must choose j3. If 
we next choose nj, then we need to solve t/"-' = x^ . We are not 
guaranteed a solution of this equation in general as this implies the 
existence of and the ability to compute roots in the underlying group. 
Hence this forces us to choose both /3 and y., which again means we 
need to solve a DH problem which may or may not have a solution and 
is already computationally hard. 

Based on the above we believe that existential forgery of this protocol 
is not possible unless one already knows a root of x. It turns out that 
this can be done once Alice has sent out a message and its signature. 
One can determine an n^^ root of x by computing y"^ ^ . In order 
to stop Eve from forging a message using this rij Alice needs to keep 
a public list updated with the n/s she has used to far. If we receive 
a message with an Uj already used then we know it must not be from 
Ahce. 

Another option is an adaptive chosen ciphertext attack, where Eve 
gets to submit messages of her choosing for signing. Again this method 
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of attack is unlikely to succeed as the most Eve will obtain is a distri- 
bution of t~^s, which is random and should yield no information about 
s nor t. In addition, Eve will be receiving information about n as well, 
however, as suggested before, once Alice has exhausted a small list of 
factorizations we recommend switching to a new x and n. This switch 
can be prolonged if careful choices are made in the factorization of n. 
In particular we can specifically choose not to include certain primes 
in the integer rij that is published, or even to restrict the exponents of 
the primes used in Uj. 

3.1.4. Soundness. One method of breaking the security requires the 
eavesdropper to recover s, t or n. Since g nor n was never published, 
nor needed, there isn't a clear method of starting a CSP attack. You 
would either have to be able to attack the random algorithm which 
generates t and hence obtain information about t~^s, or there would 
have to be some method of attacking the hash function. Hence the 
security of this signature generation protocol relies on the appropriate 
choice of hash function and the method by which one obtains random 
group elements. Care must also be taken as to how the elements are 
transmitted. Since an eavesdropper can always read back s^^t, for 
random t, we must make sure that this doesn't leak any information 
about s. 

3.2. Proposed Platforms. We advocate using platform groups for 
which the conjugacy search problem is hard. Such non-commutative 
groups have been discussed in [12] . In particular, any group which has 
been deemed secure against length based attacks and other attacks may 
be used. Such groups include polycyclic groups as they have been pro- 
posed for cryptography in [9] and [10]. Garber, Kahrobaei and Lam 
in [6j have done some experiments which shows that well-chosen poly- 
cyclic groups with high Hirsch length are secure against length based 
attacks. For a survey on non-commutative group-based cryptography 
see [2] and [12]. 
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